Forced on many network administrators by chat-loving CEOs and work-at-home users, Instant Messaging (IM) has become today's killer app. However, IM brings with it a slew of new support concerns and security holes. (For information about the risks associated with IM and what you can do to reduce them, see "Protect Your Instant Messaging," August 2002, http://www.winnetmag.com, InstantDoc ID 25669.) The most popular personal IM clients provide little or nothing in the way of security or management tools. If your company uses IM, you can keep your network secure and make your life easier by standardizing on a robust corporate IM client that provides security, centralized administration, and expanded feature sets.
What Most Clients Lack
The most widely used IM clients are AOL Instant Messenger (AIM—http://www.aim.com), MSN Messenger (http://messenger.msn.com/download/download.asp), and Yahoo! Messenger (http://messenger.yahoo.com). ICQ (http://web.icq.com), mIRC (http://www.mirc.com), and Jabber Messenger (http://www.jabber.net) are some other popular shareware or freeware IM clients. All these clients are great for personal use, but they lack features that are essential in corporate environments.
For starters, these clients provide little or no security. Many personal IM clients don't require passwords, and users can easily pretend to be someone else. Any user can create a logon ID and claim to be the CEO of his or her company—no vetting or authentication mechanism verifies identity. In contrast, corporate IM clients often tie a user's IM identity to existing network credentials, usually through a Lightweight Directory Access Protocol (LDAP)enabled connector. This approach lets the network administrator manage who can and can't use IM.
Personal IM clients almost always send messages across the network and Internet as clear text. Most IM clients use some form of message digest or challenge-response mechanism to avoid sending passwords as clear text, but all other session data is visible. Even if your users use personal IM clients to send messages only to other internal users, the messages still cross the Internet in clear-text form to the IM network's servers before returning to your network. Several freeware and commercial programs, such as FaceTime Communications' IM Auditor, Akonix Systems' Akonix L7, and iOpus Software's STARR Professional, can easily monitor and record IM conversations. Secure corporate IM clients offer built-in encrypted communications that are turned on by default. Some corporate IM solutions are even smart enough to encrypt traffic only when it departs from the local LAN. However, not all products that incorporate encryption do it well; to learn what to keep in mind when evaluating a client's encryption capabilities, see the sidebar "Encryption: Buyer Beware."
Most personal IM clients don't adequately protect multiple users on a shared machine. For example, because most IM clients that have message-capturing ability write their logs to an unprotected file in the installation directory, users who share the same client can read messages belonging to other users on the client. One logged-on user can easily impersonate another, read the other user's chat session (if that user saved transcripts), and reconfigure the client. Intruders can hijack chat sessions, and users can download worms and viruses. And, to the frustration of network administrators, IM clients are all too willing to circumvent pesky corporate firewalls. Corporate clients won't actively circumvent a firewall, and the systems administrator can control which IP port the client uses and which users can use the client.
Most personal IM clients also don't provide a way to automate installation and configuration for multiple clients or a central place to archive messaging content. Nor do they include a mechanism to ensure that users don't turn on auto-downloading or that they keep their antivirus scanners up-to-date. Corporate clients include those enterprise mechanisms and provide ways to keep the desktop IM client up-to-date as vendors identify and patch security holes.
Corporate IM Clients
Dozens of corporate clients compete for your organization's IM traffic. Many popular email and messaging vendors, including Microsoft, IBM, and Novell, have offered corporate IM products for a year or two. AOL, Microsoft, and Yahoo! have developed enterprise editions of their popular freeware clients. And several new vendors provide robust IM offerings that offer stability and privacy.
Most corporate IM clients (and all of those I discuss later unless otherwise noted) offer the following features:
- user authentication
- encrypted communications
- support for antivirus software
- centralized distribution and management
- feature enabling and disabling
- logging and auditing
- customizable away (i.e., vacation or out-of-office) messages and replies
- support for the Session Initiation Protocol (SIP) and SIP for Instant Messaging and Presence Leveraging Extensions (SIMPLE) IM standards (for more information about these standards, see the sidebar "SIP and SIMPLE")
- support for PDAs and handheld devices
Some corporate clients use their own proprietary protocols; others interoperate with two or more different IM services. If you're looking for a corporate client that will work with multiple IM networks, be sure to do your homework to determine which products the client you're considering will and won't interoperate with. Some public IM networks actively block unlicensed connections. For example, AOL is notorious for building technical walls to prevent third-party communications with its messaging network—frequent changes to AOL's IM network have prevented Jabber and other ICQ clients from connecting without regular interruptions. Clients that support encryption usually require the same client at both ends of the chat. Depending on the corporate client you choose, you might host your own IM server or gateway or use the vendor's hosting services.
The following selection of products offer reliable end-to-end corporate IM. The first three clients are from the largest public IM vendors, followed by some other vendor offerings. Although space restrictions prevent me from providing a lot of detail about each product, you can visit vendors' Web sites to learn more.
Enterprise AIM Services. Announced in May 2002, AOL's Enterprise AIM Services (http://www.aim.com/get_aim/enterprise/enterprise.adp) was among the earliest corporate versions of a personal IM client. When deployed with the AIM Enterprise Gateway, Enterprise AIM Services keeps internal traffic inside the network. The gateway, which starts at $34 per seat, lets network administrators control IM use by user and group and includes routing and auditing capabilities. Enterprise AIM Services lets you store content centrally and scan it by keyword, date, and contact name; AOL promises that in the near future you'll be able to encrypt traffic that leaves the local network if the receiver also uses Enterprise AIM Services. VeriSign will provide digital certificates for this product.
Yahoo! Messenger Enterprise Edition. Yahoo! Messenger Enterprise Edition (http://enterprise.yahoo.com/messenger) uses128-bit encryption and Secure Sockets Layer (SSL) for secure communications. The client can communicate with LDAP-enabled directories for user authentication. Yahoo! Messenger Enterprise Edition provides centralized client management and lets administrators force users to use antivirus software. Yahoo is targeting first quarter 2003 as a general release date; pricing wasn't available at press time.
Microsoft clients. Although Microsoft has had nearly a dozen chat offerings over the past decade, Windows Messenger and MSN Messenger put the company on the map in the IM market. Microsoft already has a corporate IM solution, Instant Messaging Client for Exchange 2000 Instant Messaging Service, that lets users chat locally or over the Internet. You can administer the client as part of Exchange. Microsoft Exchange 2000 Server's IM feature doesn't offer encrypted communications, however.
Currently scheduled for a first quarter 2003 release, Microsoft's next-generation IM platform, MSN Messenger Connect (http://www.microsoft.com/net/services/msn_messenger_connect.asp), will work with the Exchange 2000 IM client, Active Directory (AD), and Microsoft SQL Server databases. Although Microsoft hasn't provided many details, MSN Messenger Connect will offer most of the same features as the AOL and Yahoo! offerings but will also leverage Microsoft technologies, such as AD, SQL Server, and Exchange. The price should be about $24 annually per user, with volume discounts available.
Groove. Some messaging experts consider Groove Networks' Groove Workspace (http://www.groove.net) to be the perfect combination of email, IM, and collaboration tools. Creator Ray Ozzie won 65 million customers over to his earlier paradigm-creating software, Lotus Notes, and he expects to far exceed those numbers with Groove. Developers built security into Groove from the ground up: Shared communications use VPN channels by default, and the software authenticates users as well as encrypts message data on the network and on disk. Only authorized group members can view messages on the network, and only the data owner can view data on disk. Whereas most IM vendors' documentation contains only a few sentences about encryption, Groove Networks devotes 23 pages to the subject. If you need secure, well-thought-out messaging, you should take a look at Groove. Pricing starts at $49 per user with volume discounts available.
IBM Lotus Sametime 3. IBM claims that more than 7 million corporate users have adopted IBM Lotus Sametime 3 (http://www.sametime.com). Used with a Lotus Notes or browser-based client, Sametime provides all the features a company needs for IM, document collaboration, and Web conferencing. Sametime implements encrypted communications and password-protected private channels and lets you log messages to the desktop or to a central server. Pricing starts at $36 per user.
Novell GroupWise 6.5. Novell intends to put proprietary IM into the final release version of its GroupWise 6.5 email software (http://www.novell.com/products/groupwise). According to the vendor, GroupWise IM will contain most of the features typically available in corporate IM clients, including message logging, but won't have auditing or keyword search capabilities. Pricing was unavailable at press time.
Jabber. Jabber is an open-source XML-based IM protocol developed with an eye toward interoperability between diverse products such as AIM, ICQ, MSN Messenger, Yahoo! Messenger, SMTP, and Internet Relay Chat (IRC). Although Jabber-based clients are robust enough to stand alone as a private IM service, Jabber gateways allow interoperability with many public networks. The Jabber server doesn't directly support user authentication, but you can deploy open-source or commercial customized modules to support LDAP-compatible directories. Like most open-source products, Jabber-based clients don't have the rich feature sets of their commercial cousins, but they can support user authentication, encryption, and logging features with other open-source add-on products and a little elbow grease. At least half a dozen Windows-based Jabber clients support encrypted communications. For a list of Jabber clients, go to http://www.jabber.org/user/clientlist.php.
Trillian. Cerulean Studios' Trillian Pro (http://www.trillian.cc) uses a 128-bit Blowfish cipher with Diffie-Hellman key exchange to secure communications. Although Trillian Pro works with IRC, AIM, ICQ, MSN Messenger, and Yahoo! Messenger traffic, it can encrypt only AIM and ICQ traffic. Considered one of the more feature-rich third-party clients, Trillian Pro's lengthy list of features includes skins and an actively supported API plug-in. Pricing is $25 per workstation.
e/pop. WiredRed Software's e/pop IM client (http://www.wiredred.com) comes in basic, professional, and Java versions. All versions are encryption-enabled, authenticate end users, and include centralized management and logging capabilities. The professional client also offers remote control and application sharing. e/pop 3.0 Professional Client starts at $199 for five users; e/pop Basic starts at $179 for five users.
Imici Business Messenger. Imici Business Messenger (Imici.BM—http://www.imici.com) supports AIM, ICQ, Yahoo! Messenger, and MSN Messenger from one interface. Imici uses the MD5 message digest algorithm for session authentication, RSA for peer encryption and symmetric key exchanges, and Blowfish for session encryption. Pricing is $250 annually for the license fee plus $2 per user per month. The company also sells Imici Enterprise Server and a software development kit (SDK) to companies that want to host their own customized IM services.
Bantu IM & Presence Platform. Bantu (http://corp.bantu.com) offers Bantu IM & Presence Platform, a Java-based client that works on Windows, Macintosh, Linux, and Sun Microsystems' Solaris. This client interoperates with AIM, MSN Messenger, and Yahoo! Messenger and offers logging, alarm triggers, and customized alerts. Bantu IM & Presence Platform uses a proprietary encryption routine and SSL to secure messages. Pricing is $25 per workstation per year.
Professional Online Desktop. Omnipod's Professional Online Desktop (POD—http://www.omnipod.com) offers typical corporate IM features secured by 168-bit Triple DES (3DES) SSL encryption. Because POD lets users import personal buddy lists from popular IM clients, it can ease a corporate IM implementation. Pricing starts at $15 per user per month, with volume discounts available.
For companies that aren't ready to invest in a premium corporate IM client or that must communicate with users who run only personal IM clients, dozens of third-party clients and utilities are available that can make personal IM clients more secure, although they don't provide other corporate IM features. Table 1 lists some of these offerings.
Securing IM
The task of securing IM begins by determining your network's current level of IM use. Many network administrators confidently maintain that their networks carry no IM traffic. In many cases, however, administrators neglect to configure their firewall to monitor the common IM ports (e.g., 6040 and 5190 for AIM). Furthermore, today's IM clients automatically probe network firewalls to find open outgoing ports, and users might happily be using port 80 for chats.
Consider using one of the IM eavesdropping tools that I mentioned earlier (e.g., Akonix L7) or Snort (http://www.snort.org), an open-source Intrusion Detection System (IDS), to sniff out rogue IM traffic on your network. When you find unapproved IM clients, you should remove them from your users' computers and reiterate your organization's acceptable-use policy for computers.
If you decide that you want to support IM in your enterprise environment, get a corporate product that fulfills your needs. The biggest initial consideration is whether you'll be supporting external communications across the Internet or only local traffic. Most of the corporate solutions I've mentioned support both kinds of traffic. If your end users must communicate with people who use noncorporate IM clients, you'll need to pick a product that interfaces with the public IM network.
If you manage a Windows network, pick a corporate client with support for AD or Windows NT authentication. Some products directly support NT LAN Manager (NTLM) authentication for NT 4.0 domains and AD mixed-mode environments. Although Exchange and MSN Messenger Connect offerings are AD-enabled, most corporate IM clients use LDAP connectors to interface to the AD directory service.
Like the first-generation network-aware email systems of yesteryear, corporate IM products provide varying levels of AD integration. Some IM systems can use the LDAP/AD interface only to discover user identities and create IM accounts during installation, while others can maintain a synchronized user directory. To help you weigh life-cyclemanagement costs, query vendors about their products' level of AD support.
When you install the corporate client, configure it to
- require users to authenticate to the IM client, either with a separate logon or a single sign-on (SSO) using network credentials
- automatically encrypt all communications whenever possible
- turn off automatic file downloading
- force antivirus scanning of downloaded files
- make your Internet edge connection device, if you have one, scan IM packets
- force your IM clients to use HTTP as their transport protocol if your gateway scans only HTTP traffic
- force the IM client to check for version updates at least once a week
- lock down client settings so that users can't change them
Be Proactive
End users and managers are demanding IM as a legitimate business tool, but the days of unmanaged IM within the corporate environment are coming to an end. Corporate IM clients authenticate users, encrypt traffic over the network and Internet, and support logging and auditing. Such products also provide centralized distribution and administration and have customizable feature sets. Savvy, security-conscious network administrators will insist on implementing a stable, secure corporate IM product that fits their environment.
